BYOVD (Vulnerable Driver) × Microsoft Defender

A publicly-reported instance of BYOVD (Vulnerable Driver) bypassing Microsoft Defender, recorded with its original source. Factual record; no assessment of any specific deployment.

Product

Microsoft Defender

Technique

BYOVD (Vulnerable Driver)

MITRE ATT&CK

T1562.001

Confidence

High

Severity

High

Status

poc

Disclosed

2026-02-24

Config / version noted

Not stated

Provenance

blog.silentforce.io
disclosed 2026-02-24 · original source · via raw

Reported as

The technique bypasses EDR hooks, PPL, and monitoring by operating on a copy, leveraging BYOVD to disable PPL in kernel memory.

Mechanism

Doppelganger clones the LSASS process using NtCreateProcessEx after disabling PPL via a signed vulnerable driver (RTCore64.sys) that writes to the EPROCESS structure in kernel memory. It resolves APIs dynamically from clean DLLs to avoid IAT scanning, steals a SYSTEM token from winlogon.exe for privileges, and then dumps credentials from the clone, which lacks EDR hooks and PPL.

Detection & mitigation

Monitor for loading of known vulnerable drivers like RTCore64.sys via service creation (Event ID 7045) or driver load events. Detect attempts to access winlogon.exe for token theft and use of NtCreateProcessEx with LSASS as a parent. Blocklist vulnerable drivers and enforce PPL with LSA protection.

BYOVD (Vulnerable Driver) has also been recorded against

Avast Baidu BattlEye Bitdefender Carbon Black Cortex CrowdStrike Cylance Easy Anti-Cheat EasyAntiCheat Elastic Fortinet

This is a record of a publicly-reported event, not an assessment of any specific organization's deployment. Detection and mitigation notes are drawn from the cited source. Where the source is silent, fields are omitted.